The U.S.-led intelligence alliance flagged Anthropic’s Fable 5 and OpenAI’s Daybreak as major cyber triggers, while India’s cyber watchdog issued a similar warning months earlier as attacks surged.
NEW DELHI — The Five Eyes alliance has issued a fresh alert that artificial intelligence will rapidly amplify cyberattacks in the coming months, as India faces an increasing wave of AI-powered threats from outside the coalition.
The joint statement came from the cyber and intelligence agencies of the United States, United Kingdom, Canada, Australia and New Zealand. It carried an unusually specific claim: that the hacking power of frontier AI models like Anthropic’s Fable 5 and OpenAI’s Daybreak will reach the public “within the year,” even as the companies try to restrict access.
“Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities,” the agencies said. “The timeline is not years, it is months.”
Six agencies signed it: the US National Security Agency and CISA, the UK and New Zealand national cyber security centres, the Canadian Centre for Cyber Security, and Australia’s Cyber Security Centre. NSA cyber director David Imbordino and acting CISA chief Nick Andersen put their names to the document, which cited no classified sources. The advice that followed was old: fix legacy systems, patch faster, cut needless internet exposure, tighten identity controls and plan for incidents before they hit.
India was not in the room. It is not a Five Eyes member, and it has long preferred what its foreign ministry calls “multi-alignment” to formal blocs. But the warning landed on a country that had issued nearly the same one two months earlier, with the attack data to back it up.
India Issued This Warning Before Anyone Else
On April 26, India’s Computer Emergency Response Team, CERT-In, published an advisory titled “Defending Against Frontier AI Driven Cyber Risks.” It warned that maturing AI can now find software flaws on its own, read source code and run multi-stage attacks that once needed teams of skilled humans.
The advisory did not treat the risk as distant. CERT-In named small and mid-sized businesses as the softest targets, because they run on thin budgets and weaker defenses, and it flagged banks, telecom networks and government systems as the sectors under the most pressure.
So while the Five Eyes statement reads as a forecast, in India it reads as a description.
| Five Eyes statement | India’s CERT-In advisory | |
|---|---|---|
| Issued | June 22, 2026 | April 26, 2026 |
| By | Six agencies across the US, UK, Canada, Australia and New Zealand | India’s Computer Emergency Response Team |
| Core warning | Frontier AI will reshape offensive cyber within months | Maturing AI can autonomously find flaws and run multi-stage attacks |
| Models named | Anthropic’s Fable 5, OpenAI’s Daybreak | None named |
| Hardest-hit target | Legacy systems, weak identity controls | Small and mid-sized businesses; banking sector |
| Headline action | CISA’s three-day patch mandate for federal agencies | Voluntary guidance: patching, MFA, staff training |
| Enforcement | Binding directive | Advisory only |
Why This Matters for the World’s Leading AI Labs
For the AI companies on my beat, being named by spy agencies is a new kind of exposure, and Anthropic has already felt it. Earlier this month the Trump administration placed export controls on Fable 5 after an Amazon threat-intelligence report flagged its hacking potential. Anthropic shut down access to Fable 5 and Mythos 5, then called the decision a “misunderstanding.”
Here is the catch the alliance plays down: many security researchers do not think Fable 5 is special. The same attacks, they argue, can already be run with older models such as Claude Opus and Claude Sonnet, or with open-source Chinese models that trail the frontier by six to eight months. The danger is less a single model than the speed at which a restricted capability becomes a free one.
Both Anthropic and OpenAI say the same technology can defend. Anthropic runs a program called Project Glasswing, and OpenAI a Trusted Access for Cyber Program, each handing AI tools to defenders so they can find bugs before attackers do. The Five Eyes agencies backed that approach, urging organizations to use AI “to strengthen defence.”
Why the US Can Enforce This Deadline—but India Can’t
The hard edge of the warning is a deadline. On June 10, CISA ordered US federal civilian agencies to fix, disable or remove their most serious vulnerabilities within three calendar days, down from the old multi-week cycles. Lesser flaws get two weeks. The least serious get up to two months.
India has no equivalent mandate. CERT-In’s advice to its most exposed users, to keep systems patched, switch on multi-factor authentication and keep unverified AI tools out of production, is sound. But it is guidance, not a clock.
That gap is the real story for India. The Five Eyes can line up five governments behind a single deadline. India is defending the same frontier alone, with a larger attack surface and a warning it had already written for itself.
“Success will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy,” the agencies wrote. “Those that do not will face growing operational and strategic disadvantage.”
India read that memo in April. The open question is whether its banks and small businesses can move as fast as the models can.
Leave a Reply